Running the FF Device Agent on Windows 11 as a standard (not admin) user

I’m trying to run the device agent on Windows 11. I can get it to run fine when logged in as an Admin but I need it to be able to execute as a standard user due to organisation security policies. Has anyone got that working?

When I try to run the device agent as the standard user I get the following error:

'flowfuse-device-agent' is not recognized as an internal or external command, operable program or batch file.

I’ve tried giving the standard user read and write access to /opt/flowfuse-device but I’m still getting the error.

I completed the agent install steps after running CMD as Admin from standard user account. If I run the device agent (flowfuse-device-agent) while still running as Admin the device agent starts correctly.

Hi Rob. This is an unfortunate situation caused by a combination of the way node global installs work on windows by default, windows per-user paths and a couple of other things I will touch on later.

First, some useful command line tips

  1. Determine the install path for “global” installs: npm root -g
  2. Viewing the current users path: path
  3. Viewing the current user set | find "USERNAME"

Global install is global to a user (not the OS) by default

If you run the command to determine the “global” install path for your admin user and for your normal user, you will see they are 2 different locations.

To simplify that statement, NPM Global Instals are “Global to the user” not “Global to the OS” (by default).

With that in mind, you can determine that installing the device agent globally as the admin means a standard user cannot access it.

Next, there is the issue of path. I have found over the years (and never really nailed it down) that the path env var of node-js can be missing from the standard user. I suppose I could run a bunch of tests to find the right / wrong way to achieve this but in essance, the user attempting to run flowfuse-device-agent must either have the right path settings OR use the FULL path when launching the flowfuse-device-agent

By default, on windows, npm -g installs to %USERPROFILE%\AppData\Roaming\npm and that is where the batch file to start up flowfuse-device-agent gets written. If %USERPROFILE%\AppData\Roaming\npm is NOT in the users path, then it will shout out what you witnessed “‘flowfuse-device-agent’ is not recognized as an internal or external command”

Your options

  1. Change NPM global install path to a central location so that it is truly “global”
    • This is the method best suited to server like devices (those not intended to be used by multiple different users for general purpose tasks)
    • PRO: For machines administered by an IT dept, this can work well. Global installs are restricted the path configured (typically somewhere protected like c:\ProgramData\npm\..., then a restricted user account is used to run the application
    • PRO: NodeJS Applications on the machine can easily and safely be Ran as a service
    • CON: Regular users are highly restricted
  2. Permit the user to perform npm -g installations
    • On an OOB windows installation, this is the default (IIRC)
    • PRO: User can install and run global packages from the command line. This is not as “scary” as it sounds since the restricted user can only do what they are permitted to do by way of their account settings and restrictions.
    • PRO: Different users can have their own “globally” installed versions of nodejs applications
    • CON: It is not so straight forward for applications to be “ran as a service” (can be done with Local Policy or domain account policy).

My Notes and Musings

Since the device agent is typically used as a long running application/service, it is more suited to a “server” setup (be that a VM, an edge device, RPi etc). It doesn’t necessarily mean it should be “Windows Server” just that it is more suited to device that is not intended to be a multi-purpose, multi-user computer in your average office.

If however, a typical user on a typical multi-user, general purpose office PC wishes to use/test the device agent, then that too is fine (bearing above restrictions in mind).

Assuming server like (edge?) device

Where an admin sets up the computer and typically runs the agent as a service, and has a user group for “support” users, this would be my recommendation.

As an admin
  1. Remove/revert any npm path changes
  2. Create a restricted account (the account that will run the agent) and update Local Security Policy to permit the account to “Run a service”
  3. Re-install latest node LTS (16 is currently the recommended version for device agent, but 18 is a better choice IMO)
    • Be sure to tick the box to include Tools for Native Modules when prompted
  4. Create a service account (the account that will run the agent)
  5. Create c:\opt\flowfuse-device directory and ensure the service-account has read + write access to it
As the service account

TIP: You can fire up a cmd from the logged in admin account to save logging off. From a command prompt, enter runas /user:agent-service cmd
(where agent-service is the name of the service account created above)

  1. Perform the install as per the agent docs npm install -g @flowfuse/device-agent
  2. get the npm path for this user by running npm root -g
  3. check the users path - the npm path should be present. If not, run rundll32 sysdm.cpl,EditEnvironmentVariables and add it
As an admin
  1. Set up a service runner to run the agent.
    1. There are many options however I would recommend nssm as you can set it up to redirect the stdout and stderr to file for later interrogation (it has log rotation too) (without this, the admins/support guys will have no logs since they will disappear into the ether!)
  2. Remember to set the service to log on as your service account.

NOTE: I have not tested all of this (most of it is from memory from a few years back), but I hope there are enough pointers to get you moving in the right direction. Please do feedback your findings and feel free to ask questions - I will try to help you get up and running.